Roman Danyliw's Yes on draft-ietf-httpbis-semantics-16: (with COMMENT)

Roman Danyliw via Datatracker <noreply@ietf.org> Thu, 10 June 2021 12:42 UTC

Resent-Date: Thu, 10 Jun 2021 12:32:19 +0000
Resent-Message-Id: <E1lrJr9-0005aE-3b@lyra.w3.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-httpbis-semantics@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, tpauly@apple.com, tpauly@apple.com
Auto-Submitted: auto-generated
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <162332812816.1576.8653380065166819501@ietfa.amsl.com>
Date: Thu, 10 Jun 2021 05:28:48 -0700
Received-SPF: pass client-ip=4.31.198.44; envelope-from=noreply@ietf.org; helo=mail.ietf.org
Subject: Roman Danyliw's Yes on draft-ietf-httpbis-semantics-16: (with COMMENT)
Archived-At: <https://www.w3.org/mid/162332812816.1576.8653380065166819501@ietfa.amsl.com>
Resent-From: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list

Roman Danyliw has entered the following ballot position for
draft-ietf-httpbis-semantics-16: Yes

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-httpbis-semantics/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

** Section 2.2.  Per “Additional (social) requirements are placed on
implementations …”, what’s a “social” requirement?

** Section 4.2.2.

Resources made available via the "https" scheme have no shared
identity with the "http" scheme.  They are distinct origins with
   separate namespaces.  However, an extension to HTTP that is defined
   to apply to all origins with the same host, such as the Cookie
   protocol [RFC6265], can allow information set by one service to
   impact communication with other services within a matching group of
   host domains.

It would be worth reiterating that it might be risky for extensions to treat
http + https origins on the same host uniformly.

** Section 5.1.  Convention question.  Per “Field names … ought to be
registered within the …” HTTP field name registry, I have a question about the
strength of the recommendation based on the use of the verb “ought” – is that
RECOMMENDED? SHOULD?  Section 8.3.1, 8.3.2, 8.4.1, 8.8.3, etc use a similar
construct.

** Section 7.2.  Does this text allow for the possibility for both a Host and
:authority be included?

** Section 9.2.1.  In addition to example of the access logs files filling the
disk, there could be significant CPU load if the target is a script.

** Section 17.1.  The text provides helpful caution by stressing that “… the
user's local name resolution    service [is used] to determine where it can
find authoritative responses.  This means that any attack on a user's network
host table, cached names, or name resolution libraries becomes an avenue for
attack on establishing authority for "http" URIs.”  The subsequent text
highlights DNSSEC as improving authenticity.  It seems that the integrity
provided by DoT or DoH would also be relevant.

** Section 17.2

Users need to be aware that intermediaries are no more trustworthy than the
people who run them; HTTP itself cannot solve this problem.

No disagreement with the sentiment, but I would recommend not framing it in
term of the trustworthiness of the _people_ (i.e., intermediaries with poor
security or privacy practices is not necessarily due to the lack of
trustworthiness of the engineers operating the service; perhaps these services
are also run in of jurisdictions where confidence in them should be reduced).

NEW
Users need to be aware that intermediaries are no more trustworthy that the
entities that operate them and the policies governing them; HTTP itself cannot
solve this problem.

** Section 17.5.  More generically describe the attack

OLD
Failure to limit such processing can result in buffer overflows, arithmetic
overflows, or increased vulnerability to
   denial-of-service attacks.

NEW
Failure to limit such processing can result in arbitrary code execution due to
a buffer overflows or arithmetic overflows; or increased vulnerability to
denial-of-service attacks.

** Editorial

-- Section 3.5.  Should s/advance configuration choices/advanced configuration
choices/?

-- Section 4.2.2.
A client MUST ensure that its HTTP requests for an "https" resource
   are secured, prior to being communicated, and that it only accepts
   secured responses to those requests.  Note that the definition of
   what cryptographic mechanisms are acceptable to client and server are
   usually negotiated and can change over time.

This text goes from referring to “secured” in the first sentence to
“[acceptable] cryptographic mechanisms” in the second sentence.  To link them,
perhaps s/are secured/are cryptographically secured/

-- Section 6.5.  Typo. s/section_ are are/section_ are/

-- Section 11.1.  The text (at least when read as a .txt) isn’t showing RFC7617
or RFC7616 as references.

-- Section 14.1.1.  Typo. s/gramar/grammar/

Roman Danyliw's Yes on draft-ietf-httpbis-semanti… Roman Danyliw via Datatracker